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Addressing the SANS Top 20 Critical Security 
Controls for Effective Cyber Defense 


How Trend Micro Deep Security Can Help: 
A Mapping to the SANS Top 20 Critical Security Controls 





» Addressing the SANS Top 20 Critical Security Controls can be a daunting task. With a broad 
range of security controls, Trend Micro Deep Security can help organizations streamline the 
security of servers across hybrid cloud deployments. 
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INTRODUCTION 


(B) TREND 


% 
In the face of increasing reports of data losses, ransomware attacks like WannaCry , 89 O 


& Erebus, intellectual property theft, credit card breaches, and threats to user 
privacy, organizations today are faced with an increasing pressure to ensure that 





their corporate and user data remains secure. They are also obligated to address 


espionage motive 


compliance with a wide range of industry regulations and laws, making it : 
challenging to understand how best to approach the problem. Finally, with the : 3, 141 


advent of widespread cloud usage and the shifting to a shared security 


responsibility model for cloud workloads, organizations are forced to apply across 82 countries 
security in new ways that often don’t fit with traditional approaches. i 


Source: Verizon 2016 Data Breach 
Investigations Report 


CRITICAL CONTROLS FOR EFFECTIVE CYBER DEFENSE 


“the Center for Internet Security’s 
Critical Security Controls identify a 
minimum level of information 
security that all organizations that 
collect or maintain personal 
information should meet. The 


failure to implement all the Controls 


that apply to an organization’s 
environment constitutes a lack of 
reasonable security.” 


California Attorney General, i 


California Dept. of Justice, 
California Data Breach Report, Feb. 2016 





In order to help, the SANS Institute, working in concert with the Center for 
Internet Security (CIS), has created a comprehensive security framework— 
the Critical Security Controls (CSC) for Effective Cyber Defense (often referred 
to as the SANS Top 20)!—that provides organizations with a prioritized, highly 
focused set of actions that are implementable, usable, scalable, and 
compliant with global industry & government security requirements. These 
recommended security controls also serve as the foundation for many 
regulations & compliance frameworks, including NIST 800-53, PCI DSS, ISO 
27002, CSA, FedRAMP, HIPAA, Europe’s GDPR, and many others’. 


There are several reasons that businesses, regulatory bodies and 

governments have embraced the Top 20 CSC as the foundation for security 

strategies and frameworks: 

e Implementation of the controls can reduce the potential impact of known 
high risk attacks as well as attacks expected in the future. 

e The controls are comprehensive and address the most important areas of 
concern. 

e The controls were generated by experts in both the federal government 
and private industry. 

e The controls are well written, approachable and make common security 
requirements easy to understand and implement. 


HOW TREND MICRO DEEP SECURITY CAN HELP 


As organizations implement a security framework like the SANS Top 20 Critical Security Controls to address 
their needs, Trend Micro Deep Security can play a significant role in addressing many of the critical 
requirements. Delivered from the market leader in server security’, Deep Security streamlines operations 
through its ability to secure workloads across physical, virtual, cloud, & container environments. Available as 


1 The CIS Critical Security Controls for Effective Cyber Defense Version 6.0. October 2015 


2 Mapping to the CIS Critical Security Controls. January 2016 
3 Worldwide Endpoint Security Market Share, IDC #US41867116 
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of breaches had a financial or 


Confirmed data breaches 


(B) TREND 


software, service (PCI DSS Level 1 certified), or via the AWS and Azure marketplaces, it can help organizations 
streamline the purchasing and implementation of the essential security elements recommended by the CIS. 
With proven API-level integration with VMware, AWS, and Azure, Deep Security provides full visibility across 
the hybrid cloud, and includes the ability to automate security aligned with DevOps approaches. 


Trend Micro Deep Security is a host-based security control product that secures millions of servers across 
thousands of customers around the world. It includes a cross-generational blend of security controls for 
protecting server & container workloads, including: 


ca 3 


Prevention 
Sandbox Application 
Analysis Control 


S AZ 


Machine Integrity 


Learning Monitoring 
2H/17 







e Network security enabling virtual patching, network attack 
prevention, and lateral movement prevention through Intrusion 
Detection & Protection (IDS/IPS) and a host-based firewall 






Xeen) 
Ce 


TREND MICRO 

SMART 
(2) Protection 

Network 


Behavioral Response & 
Analysis Containment 


Anti-Malware & 
Content Filtering 





e Malware prevention with anti-malware & content filtering, 
behavioral analysis, and network sandbox integration to protect 
vulnerable systems from the latest in threats, including ransmoware. 
















e System security through application control, integrity monitoring & 
log inspection, enabling the lock-down of systems, discovery of 
unplanned or malicious changes to registry and key system files, as 
well as discovering anomalies in critical log files. 







With these controls, Deep Security can help organizations: 

e Defend against threats & protect against vulnerabilities, using proven IPS to instantly shield 
vulnerable applications and servers with a ‘virtual patch’ until it can be patched 

e Keep malware of workloads, ensuring that servers and applications are protected and unusual 
behavior from attacks like ransomware are neutralized 

e Lock down servers, making sure that only authorized applications can run 

e Identify suspicious changes on servers, including flagging things like registry settings, system folders, 
and application files that shouldn’t change—when they do 

e Accelerate compliance with key frameworks like the SANS/CIS Critical Security Controls, as well as 
key regulations like PCI DSS and HIPAA, delivering multiple security controls, central control, and easy 
reporting in a single product. 


At a summary level, Deep Security can help with 10 of 20 of the Top 20 Critical Security Controls: 
SANS/CIS TOP 20 CRITICAL SECURITY CONTROLS 


1. Inventory of Authorized & Unauthorized Devices 11. Secure Configurations for Network Devices 

















2. Inventory of Authorized & Unauthorized Software 12. Boundary Defense 





3. Secure Configurations for Hardware & Software on 


Mobile Devices, Laptops, Workstations, & Servers EAMES 





4. Continuous Vulnerability Assessment & Remediation 14. Controlled Access Based on the Need to Know 





5. Controlled Use of Administrative Privileges 15. Wireless Access Control 





6. Maintenance, Monitoring, & Analysis of Audit Logs 16. Account Monitoring & Control 





17. Security Skills Assessment & Appropriate Training 
to Fill Gaps 





8. Malware Defenses 18. Application Software Security 









E] 
7. Email and Web Browser Protections iC} 
® 
2 


9. Limitation and Control of Network Ports, Protocols, 


RERS 19. Incident Response Management 





10. Data Recovery Capability 20. Penetration Tests & Red Team Exercises 
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(B) TREND 


MAPPING THE TOP 20 CRITICAL SECURITY CONTROLS 


The table below provides a high-level mapping of Deep Security’s security controls to the SANS/CIS Top 20 Critical Security Controls. It also provides 
commentary on where cloud service providers (CSPs) like AWS, Microsoft Azure, and others have a role to play. 


CLOUD SERVICE PROVIDER 


CIS CRITICAL SECURITY CONTROL ROLE APPLICATION OF SECURITY CONTROLS 





Organizations should implement & enforce: 


1. Inventory of Authorized & Unauthorized Devices: Actively manage e Change management 

(inventory, track & correct) all hardware devices on the network so that Will typically be able to generate e Source control &y 
only authorized devices are given access, and unauthorized & asset lists via an API e Restrict access to APIs 

unmanaged devices are found and prevented from gaining access. e Automated server discovery across physical, 


virtual, & cloud 





Organizations should implement & enforce: 
e Change management 
e Source control i) 
e Application control (whitelisting) 
e Integrity monitoring 


2. Inventory of Authorized & Unauthorized Software: Actively manage 
(inventory, track & correct) all software on the network so that only 
authorized software is installed and can execute, and that unauthorized No controls 
& unmanaged software is found and prevented from installation or 
execution. 





3. Secure Configurations for Hardware & Software on Mobile Devices, 
Laptops, Workstations, & Servers: Establish, implement, and actively 
manage (track, report on, correct) the security configuration of laptops, 
servers, workstations using a rigorous configuration management and 
change control process in order to prevent attackers from exploiting 
vulnerable services and settings. 


Organizations should implement & enforce: 
e Change management 
e Source control 
e Application control (whitelisting) B) 
e Integrity monitoring 


Change control of the laaS layer 





4. Continuous Vulnerability Assessment & Remediation: Continuously They provide: Organizations should implement & enforce: 

acquire, assess, and take action on new information in order to identify e Routing tables e Scans as part of deployment 

vulnerabilities, remediate, & minimize the window of opportunity for e Network access control lists e Intrusion prevention (IPS) fY 
attackers. e Security groups e Strong patch management 
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CIS CRITICAL SECURITY CONTROL 





5. Controlled Use of Administrative Privileges: The processes and tools 
used to track/control/prevent/correct the use, assignment, and 
configuration of administrative privileges on computers, networks, and 
applications. 


CLOUD SERVICE PROVIDER 
ROLE 


They provide: 

e 1AM (Identity & Access 
Management) 

e Granular policy support 


APPLICATION OF SECURITY CONTROLS 


Organizations should implement & enforce: 
e Principle of least privilege 
e Regular review of access 





6. Maintenance, Monitoring, & Analysis of Audit Logs: Collect, manage, 
and analyze audit logs of events that could help detect, understand, or 
recover from an attack. 


They provide: 

e Storage 

e Logging at the laas level 
e  Netflow logs 


Organizations should implement & enforce: 
e Centralized logging 
e SIEM (Deep Security supports the leaders, 
including HP ArcSight, IBM QRadar, & Splunk) 
e Log inspection 





7. Email and Web Browser Protections: Minimize the attack surface and 


Organizations should implement & enforce: 
e Regular endpoint patching 





the opportunities for attackers to manipulate human behavior through No controls e  Anti-malware w/behavioral analysis o) 
their interaction with web browsers & email systems. e Web reputation services 
e Intrusion prevention (IPS) 
Organizations should implement & enforce: 
8. Malware Defenses: Control the installation, spread, and execution of e Change management 
malicious code at multiple points in the enterprise, while optimizing the No controlé Anti-malware w/behavioral analysis 


use of automation to enable rapid updating of defense, data gathering, 
& corrective action. 


Sandbox integration 
Integrity monitoring 
Web reputation services 





9. Limitation and Control of Network Ports, Protocols, and Services: 
Manage (track/control/ correct) the ongoing operational use of ports, 
protocols, and services on networked devices in order to minimize 
windows of vulnerability available to attackers. 


They provide: 
e Security groups 


Organizations should implement & enforce: 
e Application control 
e Secure OS configuration 
e Intrusion prevention (IPS) 
e Firewall 





10. Data Recovery Capability: The processes and tools used to properly 
back up critical information with a proven methodology for timely 
recovery of it. 


They provide: 

e Snapshots for workloads 
e Snapshots for databases 
e Simple high availability 


Organizations should implement & enforce: 
e Regular automated snapshots 
e Test restoration 








11. Secure Configurations for Network Devices: Establish, implement, 
and actively manage (track, report on, correct) the security configuration 
of network infrastructure devices using a rigorous configuration 
management and change control process. 





They implement & enforce: 
e Configuration of network 
fabric 


e Separation of virtual private 


clouds 





Organizations should implement & enforce: 
e Route tables 
e Network access control lists 
e Security groups 
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CIS CRITICAL SECURITY CONTROL 


CLOUD SERVICE PROVIDER 
ROLE 


APPLICATION OF SECURITY CONTROLS 





12. Boundary Defense: Detect/prevent/correct the flow of information 
transferring networks of different trust levels with a focus on security- 
damaging data. 


They provide: 

e Routing tables 

e Network access control lists 
e Security groups 


Organizations should implement & enforce: 
e Good network design o) 
e Intrusion prevention (IPS) 
e Firewall 





13. Data Protection: The processes and tools used to prevent data 
exfiltration, mitigate the effects of exfiltrated data, and ensure the 
privacy and integrity of sensitive information. 


They provide: 
e 1AM (Identity & Access 
Management) 


Organizations should implement & enforce: 
e Strict access control 
e Encryption of sensitive data where possible and 
practical 





14. Controlled Access Base on the Need to Know: The processes and 
tools used to track/control/prevent/correct secure access to critical 
assets according to the formal determination of which persons, 
computers, and applications have a need and right to access these 
critical assets based on an approved classification. 


They provide: 

e Routing tables 

e Network access control lists 
e Security groups 


Organizations should implement & enforce: 

e Good network design 

e Change management 

e Asset management 
Note: Log inspection & firewall may help to track and 
prevent access in some situations 





15. Wireless Access Control: The processes and tools used to 
track/control/prevent/correct the security use of wireless local area 
networks (LANS), access points, and wireless client systems. 


Not applicable 


Not applicable 





16. Account Monitoring & Control: Actively manage the life cycle of 
system and application accounts — their creation, use, dormancy, 
deletion — in order to minimize opportunities for attackers to leverage 
them. 


They provide: 
e IAM (Identity & Access 
Management) 


Organizations should implement & enforce: 
e No shared accounts 


Note: Log inspection may help to track and report on 
account information in some applications via logs 





17. Security Skills Assessment & Appropriate Training to Fill Gaps: For 
all functional roles in the organization, identify the specific knowledge, 
skills, and abilities needed to support defense of the enterprise. 


Not applicable 


Organizations should implement & enforce: 
e A culture of security that spans all functions 
e A business strategy that is secure by design 








18. Application Software Security: Manage the security life cycle of all 
in-house developed and acquired software in order to prevent, detect, 
and correct security weaknesses. 





No controls 





Organizations should implement & enforce: 
e Change management fy 
e Robust SDLC 
e Intrusion prevention (IPS & virtual patching) 





Page 6 of 7 | Trend Micro Whitepaper 
Addressing the SANS TOP 20 Critical Security Controls for Effective Cyber Defense 





CLOUD SERVICE PROVIDER 
CIS CRITICAL SECURITY CONTROL ROLE APPLICATION OF SECURITY CONTROLS 





19. Incident Response Management: Protect the organization’s 
information, as well as its reputation, by developing and implementing 
and incident response infrastructure for quickly discovering an attack and | No controls 
then effectively containing the damage, eradicating the attacker’s 
presence, and restoring the integrity of the network and systems. 


Organizations should implement & enforce: 
e Clear, easy-to-follow process 
e Simple communications flow 
e Repeatable procedures 





20. Penetration Tests & Red Team Exercises: Test the overall strength of Organizations should provide: 
an organization’s defenses (the technology, the processes, and the No controls e Scope of engagement 
people) by simulating the objectives and actions of an attacker. e Permission from CSP 

















Find out more about how Trend Micro Deep Security can help you more effectively and efficiently implement the SANS Top 20 Critical Security 
Controls for an effective cyber defense on our web site at www.trendmicro.com/hybridcloud. 


Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging 
T R E N D digital information. Our innovative solutions for consumers, businesses and governments provide layered 
MICR Oo content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of 

our solutions are powered by cloud-based global threat intelligence, the Trend Micro™ Smart Protection 

Network™, and are supported by over 1,200 threat experts around the globe. For more information, visit 


Securing Your Journey to the Cloud http://www.trendmicro.com/ 


© 2017 by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, and Smart Protection Network are trademarks or 
registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their 
owners. Information contained in this document is subject to change without notice. [WPO1_CIS_Top10_170714US] 
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